Looks like Facebook has their own privacy issues to deal with right now, after admitted to hire a PR firm to spread bad conspiracy about Google’s privacy issues. Cyber security firm and antivirus pioneer Symantec has recently discovered that third parties, in particular advertisers, have accidently had access to Facebook users’ accounts including profiles, photographs, chat, and also had the ability to post messages and mine personal information.

Thankfully, this is only an accident and most of these third-parties may not even have realized their ability to access the information. Symantec has then reported the issue to Facebook who has since then taken corrective action to help solve the issue, but how sure are you that there’s no 3^rd party that has already exploited this loophole?

It seemed that any applications within the social networking site have access to this, once they are integrated into the Facebook platform. According to Facebook, 20 million Facebook applications are installed every day. Now that’s quite alarming, as who knows how many among those 20 million are spam applications?

Symantec discovered that in certain cases, Facebook IFRAME applications inadvertently leaked access token to third-parties like advertisers or analytic platforms. The company estimated that as of April 2011, close to 100,000 applications were enabling such leakage. Symantec also estimate that over the years, hundreds of thousands of applications may also have accidently allowed this to happen.

As access tokens works like a spare key granted by users to the Facebook application, it can then be used to perform certain actions on behalf of the user or to access the user’s profile. Each token is associated with a selected set of permissions, like reading your wall, accessing your friend’s profile, posting on your wall, etc.